Periodic Reporting for period 4 - SIREN (Securing Internet Routing from the Ground Up)
Periodo di rendicontazione: 2020-08-01 al 2021-01-31
The Internet is hazardously insecure, as evidenced by repeated Internet outages and high-profile attacks. A particularly stubborn problem is securing routing between the tens of thousands of organizational networks, called Autonomous Systems (ASes), which make up the Internet (e.g. Google, Facebook, Bank of America, AT&T). The insecurity of Internet's routing system, namely, the Border Gateway Protocol (BGP), which is the glue that holds the Internet together, is constantly exploited to steal, monitor, and tamper with data traffic. This is, arguably, the Internet's biggest security hole, and constitutes a major threat to national security, financial bodies, and user privacy. Every year several high-profile attacks on the Internet routing system make the news while thousands of others go under the radar. However, despite over a decade of intensive efforts, routing security remains a distant dream.
To remedy BGP’s many security vulnerabilities, researchers and practitioners have invested much effort into designing security solutions for BGP routing. Yet, despite over a decade of Herculean efforts, many technological, political, and economic hurdles hinder, and possibly even prevent, deployment. I argue that the reasons for this are deeply rooted in today’s centralized, top-down, hierarchical paradigm for securing Internet routing. The aim of the planned research project is to put forth and explore a radically new paradigm for securing routing on the Internet. The proposed alternative roadmap for securing the Internet consists of two steps:
1) Jumpstarting BGP security: Devising a novel approach to routing security that bypasses the obstacles facing today’s agenda for securing the Internet. Specifically, the proposed design will be flat, decentralized, fully automated, avoid dependency on a single root-of-trust, and not require modifying/replacing legacy BGP routers.
2) A long-term vision for Internet routing: Leveraging the vast computational resources in modern datacenters, and research on Secure Multi-Party Computation (SMPC), to outsource routing to a small number of entities while retaining flexibility, autonomy and privacy.
The ERC-funded research was also intended to explore whether the solutions devised for the BGP context are also relevant to other network security contexts, such as time synchronization on the Internet.
To remedy BGP’s many security vulnerabilities, researchers and practitioners have invested much effort into designing security solutions for BGP routing. Yet, despite over a decade of Herculean efforts, many technological, political, and economic hurdles hinder, and possibly even prevent, deployment. I argue that the reasons for this are deeply rooted in today’s centralized, top-down, hierarchical paradigm for securing Internet routing. The aim of the planned research project is to put forth and explore a radically new paradigm for securing routing on the Internet. The proposed alternative roadmap for securing the Internet consists of two steps:
1) Jumpstarting BGP security: Devising a novel approach to routing security that bypasses the obstacles facing today’s agenda for securing the Internet. Specifically, the proposed design will be flat, decentralized, fully automated, avoid dependency on a single root-of-trust, and not require modifying/replacing legacy BGP routers.
2) A long-term vision for Internet routing: Leveraging the vast computational resources in modern datacenters, and research on Secure Multi-Party Computation (SMPC), to outsource routing to a small number of entities while retaining flexibility, autonomy and privacy.
The ERC-funded research was also intended to explore whether the solutions devised for the BGP context are also relevant to other network security contexts, such as time synchronization on the Internet.
Internet routing:
The Border Gateway Protocol (BGP) establishes routes between the organizational networks that comprise the Internet. Unfortunately, BGP suffers from significant security vulnerabilities and is perceived as the Internet's biggest security hole. My past research results established that today's agenda for securing Internet routing, as promoted by the Internet Engineering Task Force (IETF), suffers from significant flaws. In particular, while transition to a secure routing technology is expected to be long and gradual, proposed solutions provide meager security benefits in partial adoption and, worse yet, might even introduce new vulnerabilities. In the course of the ERC project, we investigated the reasons for the slow adoption of today's IP-address ownership certification platform (the Resource Public Key Infrastructure). We presented an easily deployable alternative for today’s certification platform. These results were presented at the highly competitive HotNets workshop and NDSS conference. We also showed how our certification platform can be leveraged to protect Internet routing from attacks by presenting a new mechanism, called "path-end" validation. Rigorous security analyses and extensive simulations on empirically-derived datasets establish that path-end validation yields significant benefits even under very limited partial adoption. Path-end validation was presented at both the HotNets workshop and SIGCOMM, the premier publication venue in computer networking, and was awarded the IETF/IRTF Applied Networking Research Prize (https://irtf.org/anrp "awarded for recent results in applied networking research that are relevant for transitioning into shipping Internet products and related standardization efforts").
As part of the development of a long-term vision for Internet routing, I have explored the application of Secure MultiParty Computation (SMPC) to routing in two contexts: (1) at Internet scale (published at PETS 2017), and (2) at Internet eXchange Points (IXPs), the emerging physical convergence points for Internet traffic (at CoNEXT 2017). The results of both studies are encouraging, demonstrating that route computation can be outsourced to a small set of computational parties with reasonable computational and communication overhead while not jeopardizing privacy.
Internet Time Synchronization:
The Network Time Protocol (NTP) synchronizes time across computer systems over the Internet. NTP is highly vulnerable to “time shifting attacks”, which has severe implications for time-sensitive applications and for security mechanisms. We presented Chronos, a secure NTP client whose design leverages ideas from distributed computing theory to achieve good synchronization even in the presence of powerful man-in-the-middle attackers. This was published at NDSS and was awarded the IETF/IRTF Applied Networking Research Prize. In addition, we observed that even with client-side solutions like Chronos in place, NTP remains highly exposed to attacks by malicious timeservers. We explored the implications for time computation of two attack strategies: (1) compromising existing NTP timeservers, and (2) injecting new timeservers into the NTP timeserver pool. We first showed that by gaining control over fairly few existing timeservers, an attacker can shift time at state-level or even continent-level scale. We then demonstrated that injecting new timeservers with disproportionate influence into the NTP timeserver pool is alarmingly simple, and can be leveraged for launching both large-scale opportunistic attacks, and strategic, targeted attacks. We presented an extension to Chronos that addresses these issues. These results have appeared at NDSS.
The Border Gateway Protocol (BGP) establishes routes between the organizational networks that comprise the Internet. Unfortunately, BGP suffers from significant security vulnerabilities and is perceived as the Internet's biggest security hole. My past research results established that today's agenda for securing Internet routing, as promoted by the Internet Engineering Task Force (IETF), suffers from significant flaws. In particular, while transition to a secure routing technology is expected to be long and gradual, proposed solutions provide meager security benefits in partial adoption and, worse yet, might even introduce new vulnerabilities. In the course of the ERC project, we investigated the reasons for the slow adoption of today's IP-address ownership certification platform (the Resource Public Key Infrastructure). We presented an easily deployable alternative for today’s certification platform. These results were presented at the highly competitive HotNets workshop and NDSS conference. We also showed how our certification platform can be leveraged to protect Internet routing from attacks by presenting a new mechanism, called "path-end" validation. Rigorous security analyses and extensive simulations on empirically-derived datasets establish that path-end validation yields significant benefits even under very limited partial adoption. Path-end validation was presented at both the HotNets workshop and SIGCOMM, the premier publication venue in computer networking, and was awarded the IETF/IRTF Applied Networking Research Prize (https://irtf.org/anrp "awarded for recent results in applied networking research that are relevant for transitioning into shipping Internet products and related standardization efforts").
As part of the development of a long-term vision for Internet routing, I have explored the application of Secure MultiParty Computation (SMPC) to routing in two contexts: (1) at Internet scale (published at PETS 2017), and (2) at Internet eXchange Points (IXPs), the emerging physical convergence points for Internet traffic (at CoNEXT 2017). The results of both studies are encouraging, demonstrating that route computation can be outsourced to a small set of computational parties with reasonable computational and communication overhead while not jeopardizing privacy.
Internet Time Synchronization:
The Network Time Protocol (NTP) synchronizes time across computer systems over the Internet. NTP is highly vulnerable to “time shifting attacks”, which has severe implications for time-sensitive applications and for security mechanisms. We presented Chronos, a secure NTP client whose design leverages ideas from distributed computing theory to achieve good synchronization even in the presence of powerful man-in-the-middle attackers. This was published at NDSS and was awarded the IETF/IRTF Applied Networking Research Prize. In addition, we observed that even with client-side solutions like Chronos in place, NTP remains highly exposed to attacks by malicious timeservers. We explored the implications for time computation of two attack strategies: (1) compromising existing NTP timeservers, and (2) injecting new timeservers into the NTP timeserver pool. We first showed that by gaining control over fairly few existing timeservers, an attacker can shift time at state-level or even continent-level scale. We then demonstrated that injecting new timeservers with disproportionate influence into the NTP timeserver pool is alarmingly simple, and can be leveraged for launching both large-scale opportunistic attacks, and strategic, targeted attacks. We presented an extension to Chronos that addresses these issues. These results have appeared at NDSS.
As discussed above, the research project has already yielded the following important results:
1. A comprehensive study of the limitations of today's approach for securing BGP. (Published at NDSS 2017)
2. A novel mechanism for protecting BGP from path-manipulation attacks that is easy and safe to deploy and provides significant benefits even in very partial adoption. (Published at SIGCOMM 2016, awarded the IETF/IRTF Applied Networking Research Prize)
3. Applications of Secure Multiparty Computation to two important routing contexts: (1) computing routes at Internet scale, and (2) at IXPs. This involved the development of highly-optimized SMPC mechanisms for these two contexts. (Published at PETS 2017 and CoNEX7 2016)
4. Novel mechanisms for securing the Network Time Protocol (NTP) from powerful man-in-the-middle attacks. (Published at NDSS 2018 and NDSS 2020, awarded the IETF/IRTF Applied Networking Research Prize)
1. A comprehensive study of the limitations of today's approach for securing BGP. (Published at NDSS 2017)
2. A novel mechanism for protecting BGP from path-manipulation attacks that is easy and safe to deploy and provides significant benefits even in very partial adoption. (Published at SIGCOMM 2016, awarded the IETF/IRTF Applied Networking Research Prize)
3. Applications of Secure Multiparty Computation to two important routing contexts: (1) computing routes at Internet scale, and (2) at IXPs. This involved the development of highly-optimized SMPC mechanisms for these two contexts. (Published at PETS 2017 and CoNEX7 2016)
4. Novel mechanisms for securing the Network Time Protocol (NTP) from powerful man-in-the-middle attacks. (Published at NDSS 2018 and NDSS 2020, awarded the IETF/IRTF Applied Networking Research Prize)